Bugs of a Pernicious Nature
Every year, June bugs appear around this time. They can cause damage to all kinds of plant life. Their digital counterparts, security and privacy bugs, are equally as destructive.
Cicadas are also appearing now, some after being underground for 17 years! However, while they may look harmful and sound annoying to some, they are highly beneficial to aerating the soil, benefiting most plants (use leaf netting to protect saplings if you have them), and providing nutrition to a wide range of wildlife, despite the claims of destruction, and annoyance that some have for their singing. Those who know the difference between a harmful bug and a useful part of the ecosystem know it is important to raise general awareness so people can tell the difference.
This cicada ring (below) is one of my favorites, reminding me to raise awareness of how what may be assumed to be harmful, annoying or useless in the tech world simply by outward appearances (e.g., multi-factor authentication) are not always. And likewise, things that may appear beautiful, exciting, convenient, fast or free may very well be hiding code of a pernicious nature (e.g., ransomware).
Read on to learn how to spot and know how to use beneficial security tech, even though they may seem annoying or unnecessary, and how to spot and avoid and/or report the digital pernicious bugs that may be hiding in your neck of the digital woods. Plus to be filled in about a lot of security and privacy news. I hope you enjoy and share!
Also, a quick question: We are considering including the news section details and links on our website, and using our Tips message to point to the News section to make the Tips shorter, and also to avoid spam filters mistakenly blocking the Tips. What do you think? Let us know!
|
|
I love cicadas! Such unique looking and beneficial insects. Their songs remind me of carefree youthful summers spent outside exploring nature. Several years ago, I got this cool Swarovski crystal and gold cicada ring during a flash sale for 80% off. It is a great conversation starter at conferences. I'll be sure to continue wearing it next year when I start attending such events again!
Rebecca
|
|
June Tips of the Month
- Privacy & Security Tips Q&A
- Data Security & Privacy Beacons
- Where to Find The Privacy Professor
You may notice a change in this month's issue. Readers have submitted many questions, so we are answering them as we go. We've also moved our tips higher so you can get to them faster!
|
|
Privacy & Security Tips
Rebecca answers hot-topic questions from Tips readers
|
|
I have a Dell computer. I read about a security problem with Dell “firmware.” What is that problem, and what do I need to do to fix it?
Dell made an announcement in May about a vulnerability found in a driver released for a firmware update. We recommend following Dell's directions ( found here) to install the fix. The solution will search for the vulnerable file on your system and delete only that file without changing or deleting any of your other files or data.
If you prefer to fix the vulnerability yourself, you download the patch directly from Dell.
If you still have questions, contact your cybersecurity department to ask for help. With so many people working from home (WFH) and using their own personal computing devices, many organizations are offering assistance to help WFH employees with these types of tech issues.
I got a message from Nextdoor about the service updating its Terms. What do I need to know?
Nextdoor has dramatically changed its policies, including its soon-to-be-released privacy policy. Our team has not yet been through the changes in-depth, but we plan to and will report our findings in the July Tips. In the meantime, here are two significant red flags to note:
- There appears to be a significantly increased amount of personal information Nextdoor is collecting, monitoring and sharing with third parties.
- Nextdoor is reducing third-party transparency even further. In 2020's privacy policy, the service stated that users could only request a list of Nextdoor's partners once a year. Users were also barred from making those requests via phone, fax or mail. Beginning June 15, 2021, Nextdoor users can no longer even obtain an actual list of third parties…only a list of categories. And here's the worst part, that list of categories is only available to residents of California. Nextdoor users, if you believe everyone using this social media site should have access to this option, not just Californians, contact Nextdoor and let them know!
Recommendations:
- Contact Nextdoor and let them know you want to be able to obtain a list of all the third parties with whom they are sharing your personal information.
- Let them know that EVERY Nextdoor user should be able to obtain this information!
What is the one thing about privacy law (Europe or US) that has been overlooked by most privacy law experts and/or citizens?
This great question could take a full week’s class to discuss! The high-level answer is the need to understand the context for each situation considered. Determining whether an organization has complied with privacy laws requires thorough and expert consideration of a variety of factors. To achieve optimal compliance in one situation within its own unique context can require a completely different set of actions than another, even seemingly similar, situation.
This is an issue that is often overlooked. The answers for how to comply with most privacy laws are typically not consistently the same nor definitive for everyone and all situations. They typically depend on consideration of each unique situation and factors associated with the context. Too many lawyers, consultants, IT pros, business leaders and others mistakenly believe or tell others that doing a specific action is always against a particular law. They also commonly advise that doing something else is always in compliance with a particular law. However, when considering the vast range of contexts within which privacy laws must be implemented, as well as the complexities of our data ecosystems, the answers often differ from situation to situation.
Sometimes they differ a little; sometimes quite a lot!
My business is based in the US, but I have fewer than 10 people who work from the EU. Do I need to comply with GDPR?
Yes, you do; you must protect and use the personal data of your workers in the EU in accordance with GDPR requirements. The EU General Data Protection Regulation (GDPR) aims to protect the personal data of EU residents by requiring a broad set of data privacy and security requirements. GDPR applies to any employer that processes and holds personal data for workers who live in the EU, including US-based businesses that have one or more employees or contracted workers in the EU.
Here are two additional things to consider:
- Citizenship is generally a moot point. If employees live in the EU, in most cases, their personal information must be protected in compliance with GDPR.
- Any third-party vendors that process your employees' personal data must also be in compliance.
What is the best VPN to use? Should I use what is offered by the systems or hardware manufacturer?
ExpressVPN and Surfshark are Rebecca's recommendations, mainly for ease of use and security. Others may choose differently. She notes there are many good options, including most of those that come with the system.
|
|
Data Security & Privacy Beacons*
People and places making a difference
|
|
McAfee's monthly tips are excellent for consumer awareness. Does your anti-malware tool provide similar? Let us know!
Jennifer Bayuk wrote the informative article, “ Have Your Friends Asked you About Blockchain and Cryptocurrency?” An excerpt: “Blockchain is a technology that is used in multiple business applications, mostly financial, to keep track of business transactions and hold people accountable for changes to information. It creates a very hard to reproduce number for every change made to a multi-level transaction so it is possible to show with high probability that a given person or company authorized a change to data. It can be used to verify the integrity of any process wherein multiple parties participate in a step-by-step process and need incremental evidence to agree upon the outcome. ” We recommend you check it out if you are interested in this topic.
The Carnegie Mellon University (CMU) Security and Privacy Institute CyLab developed a new privacy tool providing guidance for designing privacy choices.
The Wall Street Journal provided great information on How to Back Up All the Photos on Your Phone. When Google Photos' free storage ends June 1, users may want to upgrade to a paid plan. The article details cloud photo-backup options.
Google announced plans to double its artificial intelligence (AI) ethics research staff. The reported changes will boost the operating budget of team, which is tasked with evaluating code and products to avert discrimination and other problems. AI can offer benefits, like strengthening data and cyber security and privacy protections. However, if used inappropriately or with poorly constructed algorithms, it can cause significant data and cyber security incidents and privacy harms. We’ll be watching to see if Google follows through and what actions come about as a result.
44 US States & Territories signed a letter urging Facebook to abandon its plan for a children’s version of Instagram. Officials warned the platform could harm kids in many ways, including those that violate privacy and cause long-lasting harm. Curious about the 10 state AGs who did not sign their support for this initiative? Here they are: Alabama, Arizona, Arkansas, Colorado, Florida, Georgia, Indiana, North Dakota, Pennsylvania and West Virginia. Why didn't they sign? Ask them if you get a chance. Here’s the letter and an article about this initiative.
Wired published an article describing how to remove default apps you never use from your phone. “Even the best phones come with bloatware, preinstalled apps that take up precious storage space.” Not only do they take up storage space, they also typically send data, including personal data, from your phone to a wide range of third parties…many of whom you may not want to have your private information.
PC Gamer pointed out the following: Windows 10 has a built-in ransomware block. Users simply need to enable it. “Turns out there is a mechanism in Windows Defender that can protect your files from ransomware.” NOTE: You must still be vigilant in not falling for social engineering tactics that could load ransomware into other parts of your system, via apps on your phone, etc.
*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
|
|
Privacy & Security News
Ransomware, surveillance, software vulnerabilities and more
|
|
Law and Legal Actions
Breaches
• Air India passenger data breach reveals SITA hack worse than first thought. Air India said this week that personal data of about 4.5 million passengers had been compromised following the incident at SITA, Indian flag carrier airline’s data processor. The stolen information included passengers’ names, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data.
• University of California data breach: Sensitive information of staff, students leaked. On December 24, 2020, UC’s Accellion FTA was the target of an international attack, where perpetrators exploited a vulnerability in the application. Over 100 organizations were similarly attacked, including universities, government agencies and private companies. In connection with the attack, certain UC data was accessed without authorization.
• 51% of organizations have experienced a data breach caused by a third-party. A new report titled “A Crisis in Third-party Remote Access Security”, revealing the alarming disconnect between an organization’s perceived third-party access threat and the security measures it employs. Findings revealed that organizations are not taking the necessary steps to reduce third-party remote access risk and are exposing their networks to security and non-compliance risks. As a result, 44% of organizations have experienced a breach within the last 12 months, with 74% saying it was the result of giving too much privileged access to third-parties.
Identity Theft and Identity Fraud
• A new trick from identity thieves. An excerpt: “Starting with a name, address and little more, scammers can 'extract more detailed information, such as driver's license numbers,' thanks to the auto-fill features intended to make it easier to apply for a policy on many car insurance websites. From there, it's a short jump to submitting a fake unemployment claim, which was what happened to us." This is not new! It has been going on for years because it is being used so much more often.
• Anthony 'Rumble' Johnson charged with identity theft day after win at Bellator 258. Johnson was arrested at the Mohegan Sun Casino and later released on $500 bail. Johnson had allegedly used someone else’s credit card without permission in 2019 to purchase a plane ticket to Fort Lauderdale, Florida. The police obtained a warrant and arrested Johnson at Mohegan Sun Casino in Uncasville one night after he'd defeated Jose Augusto in the second round of their Bellator 258 clash.
• Online Identity Theft and the Impact on Your Job Prospects. A study picked up by CNBC claimed that nearly 14% of people who were victims of identity theft experienced problems when applying for a job (8.5% claimed it cost them the job opportunity). A further 32% (from a 2017 study) reported problems within their current role.
Software bugs, vulnerabilities and spyware
• Qualcomm vulnerability impacts nearly 40% of all mobile phones. A high severity security vulnerability found in Qualcomm's Mobile Station Modem (MSM) chips (including the latest 5G-capable versions) could enable attackers to access mobile phone users' text messages, call history, and listen in on their conversations.
• US Department of Defense expands vulnerability disclosure program. The US Department of Defense (DoD) has expanded its security vulnerability disclosure program (VDP) beyond its public-facing websites and web applications to encompass all publicly accessible information systems. That brings into scope all public-facing DoD networks, frequency-based communication platforms, IoT devices, and industrial control systems, among other technologies, the DoD announced yesterday (May 4).
• Facing a public backlash, an Israeli spyware firm is now scoring its government customers. In 2018, human rights group Amnesty International accused NSO in court of helping the Saudi government spy on a close associate of Washington Post columnist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul. Then Facebook sued NSO just a day after Sunray started work, alleging the company had helped hack over 1,400 of its customers.
• Keeping Spyware Out Of U.S.-Made Drones Is Harder Than You Think. This has led to a U.S. government initiative to build and encourage an American small drone industry to create a supply of trustworthy drones. Perhaps the most significant restriction is Section 841 of the National Defense Authorization Act, which prohibits the Department of Defense from acquiring anything with a printed circuit board from China (or Russia, Iran or North Korea).
Tracking and Surveillance
Cyber Crime and Warfare
• In New Zealand: Patients caught in the middle of cyber warfare. DHB’s IT system was taken down by hackers, sending hospitals all over Waikato back to a pre-digital dark age of pens, paper and whiteboards. Sensitive patient data and staff information appears to have been stolen, according to emails sent to media companies by those claiming responsibility for the breach. This means everything from medical records to contract and pay details.
Ransomware
• Yet another successful cybersecurity attack on part of the US critical infrastructure. As is becoming increasingly common, this one was a successful ransomware attack. No additional details about how it was executed have yet been provided. An excerpt: "The main pipeline carrying gasoline and diesel fuel to the US East Coast was shut down by its operator after being hit with a cyberattack. Colonial Pipeline Co.—which operates the 5,500-mile Colonial Pipeline system taking fuel from the refineries of the Gulf Coast up to the New York metro area—said it learned Friday that it was the victim of the attack and 'took certain systems offline to contain the threat, which has temporarily halted all pipeline operations.'"
• Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom. This is not a matter of whether to pay the ransom or not. It is a matter of having a data, cyber, network security program implemented that 1) identifies ransomware attack attempts, including frequent training and awareness to employees, contractors and supply chain entities, 2) having sufficient up-to-date backups to make the need for the ransomed data moot, and 3) continuously monitoring networks for threats and suspicious activities and reacting quickly and appropriately.
• Cybereason vs. DarkSide Ransomware. “DarkSide is a relatively new ransomware strain that made its first appearance in August 2020. DarkSide follows the RaaS (ransomware-as-a-service) model, and, according to Hack Forums, the DarkSide team recently made an announcement that DarkSide 2.0 has been released. According to the group, it is equipped with the fastest encryption speed on the market, and even includes Windows and Linux versions.” They also have an affiliates program. They’ve basically created a very profitable, and still illegal, business for spreading their ransomware and making other cybercriminals rich off of their cybercrimes.
Work from Home and School from Home
• Bosses putting a ‘digital leash’ on remote workers could be crossing a privacy line. Some companies “have turned to technology to help [mange remote workers], but they may be walking a dangerous path using tools like artificial intelligence and algorithms to track employees and their work throughout the day, or even facial recognition that can ensure that someone is at their desk.” I cover these issues in detail in my upcoming book from my publisher, CRC Press, “Security & Privacy when Working from Home and Travelling”
• One Year Later: How the Evolving Work-from-Home Climate Prompts Reminders for Technology Best Practices. A recent study suggests that among employed adults who say that most of the responsibilities of their job can be done from home, 54% would want to work from home, all or most of the time, after the coronavirus outbreak ends. While this ever-evolving work-from-home climate has challenged employers to embrace technology like never before, you should take note that the conveniences of technology do not come without legal considerations.
• From the UK: Work From Home: Risks and Regulations for the Age of Hybrid Work. According to YouGov, 37% of people surveyed say their business has adopted hybrid working systems. And according to PwC , just 20% of financial services employees want to work in the office three or more days a week once COVID 19 is no longer a problem. Deutsche Bank, HSBC, the Bank of Ireland and Google are all either adopting or considering work from home models.
Misinformation
• Scams and Misinformation Challenges. Cybercrime has increased at an unprecedented rate as misinformation and disinformation evolve in the form of chain messages, deepfakes, and phishing via voice, text and email. All of these tactics can cause financial and reputational damage. It should come as no surprise that tech companies are pivoting their focus from surviving the pandemic to providing solutions to address these growing cybersecurity challenges.
Miscellaneous
|
|
Where to Find the Privacy Professor
|
|
Podcasts, webinars, news articles and other content featuring Rebecca's insight
|
|
IT GRC Forum Round Table
Rebecca providesinformation about issues that need to be considered and addressed for GDPR compliance in work from home (WFH) environments, and when using IoT devices.
|
|
Thank you, Ludmila Morozova-Bus and Top Cyber News Magazine,
|
|
|
Latest Episode
Next Episode
Airing first on June 5, 2021!
.
|
|
|
|
Privacy & Security Brainiacs| Website
|
|
|
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:
NOTE: Permission for excerpts does not extend to images.
|
|
|
|
|
|
|